Академический Документы
Профессиональный Документы
Культура Документы
users and resources. The Directory Service allows the network administrators to manage the user’s
access to the resources. The Directory acts as a central point of control and management of the network
operating system.
Main advantages of Directory Services are
Directory Services help in Simplifying management: By acting as a single point of management, a
directory can ease the administrative tasks associated with complex networks.
Directory Services provide higher level of security. Directories offer a single logon facility and they
provide more secure authentication process.
Directory Services allow interoperability: Most of Directory Services available today are based upon
industry standards like X.500, Lightweight Directory Access Protocol (LDAP) etc. This allows sharing
of resources in a heterogeneous environment.
Directory Services software application store data in its own database. Following are the important data
which are kept in Directory Services database.
• User Account Information (Login name, Password, Restrictions).
• User Personal Information (Phone number, Address, Employee ID).
• Peripheral Configuration Information (Printers, Modem, Fax).
• Application Configuration (Desktop Preference, Default Directories).
• Security Information.
• Network Structure.
• Network Infrastructure Configuration.
Edb.log
Edb.log is a transaction log. Any changes made to objects in Active Directory are first saved to a
transaction log. During non-peak times in CPU activity, the database engine commits the transactions
into the main Ntds.dit database. This ensures that the database can be recovered in the event of a
system crash. Entries that have not been committed to Ntds.dit are kept in memory to improve
performance. Transaction log files used by the ESE (Extensible Storage Engine is an Indexed
Sequential Access Method (ISAM) data storage technology from Microsoft. ESE is the core of
Microsoft Exchange Server and Active Directory.) engine are always 10MB.
Edbxxxxx.log
These are auxiliary transaction logs used to store changes if the main Edb.log file gets full before it can
be flushed to Ntds.dit. The xxxxx stands for a sequential number in hex. When the Edb.log file fills up,
an Edbtemp.log file is opened. The original Edb.log file is renamed to Edb00001.log, and Edbtemp.log
is renamed to Edb.log file, and the process starts over again. Excess log files are deleted after they have
been committed. You may see more than one Edbxxxxx.log file if a busy domain controller has many
updates pending.
Edb.chk
Edb.chk is a checkpoint file. It is used by the transaction logging system to mark the point at which
updates are transferred from the log files to Ntds.dit. As transactions are committed, the checkpoint
moves forward in the Edb.chk file. If the system terminates abnormally, the pointer tells the system
how far along a given set of commits had progressed before the termination.
Temp.edb
This is a scratch pad used to store information about in-progress transactions and to hold pages pulled
out of Ntds.dit during compaction.
Schema.ini
This file is used to initialize the Ntds.dit during the initial promotion of a domain controller. It is not
used after that has been accomplished.
An Active Directory site is a physical subnet that is connected using a reliable, high-bandwidth
connection. An Active Directory site structure represents the physical structure of your network and
is separate from the logical structure of the network, which is represented by forests, domains, and
organizational units. Sites are used to designate replication boundaries and isolate logon
authentication traffic between physical network locations.
A single Active Directory site can contain resources from different Active Directory domains, and a
single Active Directory domain can exist across different Active Directory sites.
You should create additional Active Directory sites to control Active Directory replication traffic and
to isolate logon traffic.
Remember, an Active Directory site is connected using reliable, high-bandwidth connection. Each
site should have at least one Active Directory Domain Controller and one Global Catalog, to avoid
using low bandwidth WAN connection for Active Directory replication traffic and to isolate logon
traffic.
Each Active Directory site should have at least one DNS server and one DHCP server for name
resolution and to assign automatic IP setting to computers.
How to create an Active Directory site
Active Directory Sites can be created using the Active Directory Sites and Services snap-in (Start >
Programs > Administrative Tools > Active Directory Sites and Services). Windows Server 2003 creates
the first site automatically when AD is installed. The default name of the first site is "Default-First-Site-
Name" and includes all the domain controllers. It is possible to rename the default site, but it should
never be deleted. Additional sites must be created manually.
Right Click Sites and select "New Site" from the popup menu.
The "New Object-Site" dialog box allows you to enter the name of the new Active Directory site and to
select the site link for the new site. Windows Server 2003 creates a default site link called
DEFAULTIPSITELINK that can be used to establish the replication process of the Active Directory
service. This default site link uses RPC over TCP/IP, and it will use any available route to the remote
site for replication.
After the new Active Directory site is created, you need to complete some other tasks also and
Windows 2003 will show you these tasks in the dialog box.
• Add required IP subnets to the new site.
• Install a new Active Directory Domain Controller, or move an existing Active Directory Domain
Controller to the new site (Although a domain controller is not mandatory for a site, it is strongly
recommended for obvious reasons).
• Connect the site to other existing Active Directory sites within the forest with the appropriate site
link.
• Configure a licensing server within the site.
How to create and configure subnets for Active Directory Sites
A subnet is a portion of the IP space of a network. Subnets are described by their IP network address
combined with a subnet mask measured in bits. Click the following links and the to learn more about IP
V4 addresses, and Class C Subnetting Tutorials.
The subnet objects in Active Directory are the logical representation of the subnets in your physical
network environment.
Subnet information is used to find Domain Controller in the same site and Active Directory replication
to determine the best routes between domain controllers.
Subnets must be defined in Active Directory to ensure accurate and efficient directory replication and
resource usage.
To create a new subnet, right click the subnets folder and select "New Subnet" from the popup menu.
In the New Object - Subnet dialog box shown below, type the subnet address and the subnet mask that
may be used in this site's subnet. Choose a site to associate this subnet (In this example, I have selected
"Chennai" site), and then click OK. Note that the CIDR notation of the address is also displayed in the
dialog box.
To create another subnet object, again right click the subnets folder and select "New Subnet" from the
popup menu.
In the New Object - Subnet dialog box shown below, type the new subnet address and the subnet mask
that may be used in next site's subnet. Choose another site to associate this subnet (In this example, I
have selected "Bangalore" site), and then click OK.
Now you can see the two subnets we have created in this excercise and their associated sites displayed
in the "Active Directory Sites and Services snap-in"
• In the “New Object - Site Link” dialog box, type the name for the site link in the Name field.
• In the “Sites Not in This Site Link” box, click two or more sites to connect, and then click Add. Click
OK.
The new Active Directory site link creates is listed in the Active Directory Sites and Services snap-in.
How to configure Site Link attributes
You should configure the site link's properties after you create a site link. Configuring a Site link allows
you to specify the link cost, replication schedule, and replication interval. An Active Directory Site
Link's property can be configured as explained below.
In "Active Directory Sites And Services" snap-in, site links are added to either IP or SMTP folder under
Inter-Site Transports. Select the protocol folder (Either IP or SMTP) by clicking the folder, right click
the Site Link which you want to configure and select "Properties" from the pop-up menu.
The Properties dialog box of "Chn-Blore" Site Link will be displayed, as shown below.
In the above dialog box, you can configure two important properties related to site link, Link Cost and
Site Link replication frequency, as explained below.
• Select the intersite transport or transports for which this computer will be a preferred bridgehead
server. Click Add, and then click OK.
What is Site Link Bridge and How to create Site Link Bridge
A site link bridge connects two or more site links. A site link bridge enables transitivity between site
links. Each site link in a bridge must have a site in common with another site link in the bridge.
By default, all site links are transitive and it is recommended to keep transitivity enabled by not
changing the default value of "Bridge all site links" (enabled by default).
We may need to disable "Bridge all site links" and create a site link bridge design if
• When the IP network is not fully routed.
• When we need to control the replication flow in Active Directory.
To create a site link bridge, follow these steps
• Open Active Directory Sites And Services.
• Open the "Inter-Site Transports folder" and right-click either the IP or SMTP folder, and then click
New Site Link Bridge.
• Type a name for the site link bridge and select the site links to be added to this site link bridge.
What is Active Directory Global Catalog
The Active Directory Global Catalog is the central storage of information about objects in an Active
Directory forest. A Global Catalog is created automatically on the first domain controller in the first
domain in the forest. The Domain Controller which is hosting the Global Catalog is known as a Global
Catalog Server. A Global Catalog server stores a full copy of all objects in the directory for its host
domain and a partial copy of all objects for all other domains in the forest. Global Catalog helps in
searching Active Directory objects in the foreset more efficiently.
The Active Directory Global Catalog is responsible for several other important functions of the Active
Directory, such as the following:
• Logon validation of universal group membership
• User Principal Name (UPN) logon validation through DC location
• Search capabilities for every object within an entire forest
The function of a Global Catalog can be compared with a telephone directory. Global Catalog stores
information like a telephone directory that users can perform queries against to find specific
information.
When you create the Active Directory forest, by default the first Domain Controller will serve as the
Global Catalog Server, but we can designate any Domain Controller as the Global Catalog Server.
To configure a Domain Controller as Global Catalog Server, follow these steps.
• Open Active Directory Sites and Services (Start > Programs > Administrative Tools > Active
Directory Sites and Services).
• Select the Sites branch.
• Select the site that owns the server, and expand the Servers branch.
• Expand the Domain Controller by double clicking on it.
• Right click the “NTDS Settings” and select properties from the popup menu.
If you want to assign this Domain Controller as the Global Catalog, check the checkbox "Global
Catalog" in "NTDS Settings Properties" dialog box.
Schema Master
Active Directory schema defines what can exist within the directory. Managing the process of updating
it with new objects and attributes should be a closely monitored process. There is only a single
read/write copy of the schema on your Windows Server 2003 network, stored on the Schema Master.
The domain controller assigned the schema master role controls all updates and modifications to the
schema. To update the schema of a forest, you must have access to the schema master.
There only a single Schema Master in the entire forest at any time.
Infrastructure Master
The domain controller assigned the infrastructure master role is responsible for updating the group-to-
user references whenever the members of groups are renamed or changed.
There is a single Infrastructure Master per domain.